Most computer users understand the concept of security flaws in common desktop software such as media players and instant message clients, but the same users often are surprised to learn that the very software tools attackers use to break into networks and computers typically are riddled with their own hidden security holes. Indeed, bugs that reside in attack software of the sort sold to criminals are extremely valuable to law enforcement officials and so-called “white hat” hackers, who can leverage these weaknesses to spy on the attackers or interfere with their day-to-day operations.
Administrative page from a live Crimepack exploit kit.
Last week, French security researchers announced they had discovered a slew of vulnerabilities in several widely used “exploit packs,” stealthy tool kits designed to be stitched into hacked and malicious sites. The kits — sold in the underground for hundreds of dollars and marketed under brands such as Crimepack, Eleonore, and iPack — probe the visitor’s browser for known security vulnerabilities, and then use the first one found as a vehicle to quietly install malicious software.
Speaking at the Syscan security conference in Singapore, Laurent Oudot, founder of Paris-based TEHTRI Security, released security advisories broadly outlining more than a dozen remotely exploitable flaws in Eleonore and other exploit packs. According to TEHTRI, some of the bugs would allow attackers to view internal data stored by those kits, while others could let an attacker seize control over sites retrofitted with one of these exploit packs.
“It’s time to have strike-back capabilities for real, and to have alternative and innovative solutions against those security issues,” Oudot wrote in a posting to the Bugtraq security mailing list.
Oudot says he is reluctant to release more information about the vulnerabilities until next month, when he is slated to discuss the findings at another Syscan conference in China. But in an interview with KrebsOnSecurity, Oudot said that in the days since his advisory was published, a number of folks in the security community have come out against the idea of sharing the exploit pack vulnerability information more broadly.
For one thing, detractors argue, telling the world about these flaws will, in all likelihood, prompt the creators of these vulnerable tools to ship updates that fix the security weaknesses. The latest version of Eleonore, for example — version 1.4.1 — is among several updates shipped for Eleonore during the past year alone. Critics also say while the vulnerability disclosure could give law enforcement officials and “white hat” hackers new tools to infiltrate and disrupt cyber crime operations, that information is just as likely to be exploited by novice hackers with far less noble intentions.
For his part, Oudot isn’t swayed by either argument.
“We will see if the defenders will be able to find vulnerabilities again,” Oudot said, of the likelihood that the exploit pack makers would patch the holes. “We can all decide to fight back, or to be victims. It’s like in some countries, there are many terrorists but nobody attacks them. It’s a choice of future.”
Oudot said his team has received several e-mails from legal and security experts questioning whether they might be violating any laws by disclosing the information.
“Also, we got some IT security friends who told us that it could be interesting to keep it a little bit secret for a short period of time, so that the blackhats who build such tools would not be able to react properly in a short future,” Oudot wrote. “Our goal was to initiate real discussions in the world about cyber security and how to handle cyber threats. Our main purpose was to offer a new vision, a new future action field. Now, the companies, the lawyers, the international organizations, etc., will have to make choices.”